Four published versions of a fake "tanstack" package uploaded in 27 minutes that want to steal your .env files
Essential information
- Published
- 05/05/2026 16:29
- Modified
- 05/05/2026 16:36
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- npm package-squatting postinstall-hook supply-chain tanstack webhook-exfiltration
- Tags
- 2026-05-05 npm package-squatting postinstall-hook supply-chain tanstack webhook-exfiltration
- Related entities
- 5 indicators, 5 observables, 11 techniques (mitre)
Description
An attacker registered the unscoped 'tanstack' name on npm and published four malicious versions (2.0.4-2.0.7) within 27 minutes on April 29, 2026. These packages contained postinstall hooks that automatically exfiltrated environment files containing sensitive credentials when developers ran npm install. The attacker exploited name confusion with the legitimate @tanstack organization, which publishes widely-used JavaScript libraries. The malicious code targeted .env files, stealing AWS keys, API tokens, database credentials, and OAuth secrets by sending them to an attacker-controlled Svix webhook endpoint. Version 2.0.6 was particularly dangerous, sweeping all .env variants in the working directory. The version history reveals live debugging by the attacker, who iteratively refined the payload targeting and stealth capabilities while the package remained publicly available with approximately 19,830 monthly downloads.